CVE-2026-53174
Received Received - Intake
Linux Kernel OverlayFS Directory Traversal Flaw

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: ovl: keep err zero after successful ovl_cache_get() ovl_iterate_merged() stores PTR_ERR(cache) in err before checking IS_ERR(cache). On success err holds the truncated cache pointer and can be returned as a bogus non-zero error. The syzbot reproducer reaches this through overlay-on-overlay readdir: getdents64 iterate_dir(outer overlay file) ovl_iterate_merged() ovl_cache_get() ovl_dir_read_merged() ovl_dir_read() iterate_dir(inner overlay file) ovl_iterate_merged() Only compute PTR_ERR(cache) on the error path.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53174
EUVD
EUVD-2026-39265
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's overlay filesystem code. Specifically, the function ovl_iterate_merged() incorrectly stores an error code pointer (PTR_ERR(cache)) in a variable named err before checking if the cache pointer is actually an error (IS_ERR(cache)). If the cache pointer is valid (not an error), err still holds a non-zero value that looks like an error, which can cause the function to return a bogus error instead of success.

The issue occurs during overlay-on-overlay directory reading operations, where nested overlay filesystems are involved. The fix ensures that PTR_ERR(cache) is only computed on the error path, preventing err from holding a misleading non-zero value after a successful cache retrieval.

Impact Analysis

This vulnerability can cause functions that read directories in overlay filesystems to incorrectly report errors even when operations succeed. This may lead to unexpected failures or incorrect behavior in applications or systems relying on overlay filesystems, especially when overlay filesystems are nested.

Such incorrect error reporting could disrupt file system operations, potentially causing application errors, system instability, or data access issues in environments using overlay filesystems.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53174. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart